NASA OIG Audit of NASA's Security Operations Center

NASA spends approximately $1.4 billion per year on information technology (IT) investments for systems that control spacecraft, collect and process scientific data, provide security for critical infrastructure, and enable Agency personnel to collaborate with colleagues around the world. The Agency also maintains a significant Internet presence with approximately 3,200 publicly accessible websites and web applications that allow NASA to share information on its aeronautics, science, and space programs with the public and worldwide research community. With IT security threats at NASA increasing in number and complexity, detecting and promptly responding to these threats has become an essential part of the Agency's IT security program.

Managing IT security incidents at NASA is a highly decentralized activity involving the Agency's Headquarters and nine Centers. In November 2008, NASA created the Security Operations Center (SOC) at Ames Research Center (Ames) to identify and respond to Agency-wide security threats to NASA networks and IT systems. The SOC is part of the Office of the Chief Information Officer (OCIO) and is overseen by the OCIO's Senior Agency Information Security Officer (SAISO). The SOC received $14.7 million in funding for fiscal year 2018, and its services are provided via a task order issued under a much larger IT support contract at Ames. Ten NASA civil service and 36 contractor personnel staff the SOC. In this review, we assessed NASA's management of the SOC as well as its operations, capabilities, workload, and resource management. To complete this audit, we reviewed Federal and NASA IT security policies as well as industry best practices. We also interviewed NASA Headquarters, Center, and SOC officials and benchmarked with IT officials at the Federal Bureau of Investigation, the Department of Justice's Justice Management Division, and the Department of Energy.

WHAT WE FOUND

Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA's cybersecurity nerve center. Due in part to the Agency's failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in OCIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency's IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.

Industry best practice for an effective SOC recommends a charter signed by stakeholders that explicitly details authorities and responsibilities. Such a charter would allow the SOC to more effectively push for the resources and the cooperation required to execute its mission. However, after 10 years the NASA SOC has no charter to govern its operations or outline its authorities. In addition, the SOC has no roadmap for moving from its current state to a future state of operation, a critical management tool for establishing priorities for continual improvement.

WHAT WE RECOMMENDED

Similarly, the SOC lacks authority to manage information security incident detection and remediation for the entirety of NASA's IT infrastructure. Specifically, the SOC does not have operational level agreements (OLA) in place with key divisions, Centers, and Mission Directorates that would allow comprehensive visibility of both institutional and Mission systems – that is, the systems and related networks that support the Agency's aeronautics, science, and space programs. Instead, the SOC relies on informal agreements and personal relationships (with varying degrees of success), resulting in a lack of visibility into Mission networks and high-value IT assets, insufficient ability to store data and determine relationships between potentially suspicious events, incomplete network mapping, and missed opportunities to reduce duplication and leverage economies of scale. Taken together, these shortcomings limit the SOC's capacity to effectively respond to cyberattacks and proactively protect NASA's IT assets.

SOC officials attribute many of the organization's challenges to a lack of leadership stability. In the 10 years since the SOC was established, nine different individuals have served as SAISO or Acting SAISO. Because the SAISO is responsible for managing an Agency-wide information security program and identifying SOC priorities, frequent turnover in this position has resulted in constantly changing priorities and management direction. For example, in 2016 the then-SAISO canceled six projects SOC officials argued were needed to address critical cybersecurity gaps. Less than a year later, funding for four of the projects were reinstated by the OCIO when the SAISO left NASA after serving in the position for about a year. However, the Agency spent $3.3 million on the two projects that were canceled.

Finally, the current contract vehicle used to procure SOC services limits the Agency's operational flexibility and the ability of SOC management to measure contractor performance. Instead of utilizing a dedicated, Agency-wide service contract, NASA procures SOC services through a task order on a much larger IT services contract at Ames. Because the current SOC task order accounts for only 2.7 percent of the contract's total current award value, any performance issues at the SOC will not significantly affect the contractor's overall performance evaluation, resulting in little ability under the contract to motivate improvement. Additionally, while NASA Headquarters funds the task order for SOC operations, Ames procurement officials are responsible for managing the contract and evaluating contractor performance. Consequently, OCIO's insight and supervisory authority over this critical Agency-wide enterprise has been limited, adversely affecting SOC personnel and resources.

To ensure the SOC is best positioned to serve as the Agency's front line of cyber defense and better monitor, detect, and mitigate cyber incidents across NASA, we made six recommendations: (1) develop a charter and set of authorities that address the SOC's organizational placement, purpose, authority, and responsibilities; (2) establish OLAs with appropriate NASA entities; (3) perform an Agency-wide assessment of storage solutions to support Agency incident detection and response capabilities; (4) develop initiatives to support network mapping to improve the SOC's Agency-wide visibility and enable effective decision making; (5) perform an analysis and document the benefits of either maintaining the current SOC contract structure or transitioning to a dedicated SOC contract to improve performance and flexibility; and (6) identify, utilize, and reduce unnecessary duplication of the incident monitoring, detection, and response capabilities, including toolsets and competencies, available Agency-wide to enhance the capabilities and resources of the SOC and realize efficiencies.

We provided a draft of this report to NASA management who concurred with our recommendations and described planned corrective actions. We consider the proposed actions responsive for five of the six recommendations and will close them upon their completion and verification. With regard to Recommendation 1, the Agency did not specifically indicate whether the SOC charter and authorities would be approved by the NASA Administrator. Therefore, we consider this recommendation unresolved pending further discussion with the Agency.